piątek, 31 maja 2019

Lazy Enlil

Sometimes during pentests we can find pretty similar "environment(s)". By environment - this time - I mean open ports, possible (mis)configuration bugs or default passwords still used for access the target box/app. That's why I decided to start 'something new'...

We will start here:



We will not focus on 'only scan' or 'only get a shell' mode[1, 2]. I tried to compare both ideas (from grabash and napalm) and create a little bit 'smaller and easier' tool to automate my day-to-day "pentests in modern/commercial 'environments'" - you name it. ;)


Below you will find few (started - let's say - "poc's" and) ideas for possible bugs/open ports found during your "initial pentest-scan". For example (my Kali VM):







Main goal:
- scan the target box
- "grep" for open ports (or other possible hints - it depends on what module/path you'll provide/crete)
- take the path to: get info about remote box; get shell; prepare 'implant' (bd) for remote box.

Easy like that.

(FYI: I really decided to make it quick and easy so (for example) for 'scanning' part:
you will not find any super-new-and-cool techniques to scan ports or how to send sockets in python.

I just used nmap. :) If you need more (jokes or fun) - feel free to read the whole 'code'. ;]
Have fun.)

Here we go:



During your (nmap) scan you'll find that there is Oracle TNS Listener open (let's say on default port - 1521/tcp). Script 'enlil' in this case will provide "path(s)" you can choose (during your legal pentests):

So - finding Oracle TNS? - Let's use 'default tool available on Kali' - tnscmd10g (lamely implemented in enlil.py ;] ) - checking:





*(of course - for my .66-vm-box there was a 'failure' msg - I do not have Oracle TNS installed. Sorry :) But feel free to try it in your environment ;))

Next ("path") - unauthorized access (on port 9200/tcp for) ElasticSearch:


(P.S./BTW - yeah, I know there is 'RCE' - according to the: 'script enlil.py should be started from root user':


...but the case was to get there - not to get here. ;) Right? So.)

Next -  pretty easy and extremely lame (GET)webshell (now rewrited but let put some 'cool cmd exec' screen from the last-last-last-version too ...):


Whatever... ;] Next:

For now (according to 9200/tcp port) we have also (preauth) 'searching for some default information', like this:

(If you would like to get more examples or info about the configuration I used for 'ElasticSearch' - try here (or ask me directly).
... or use Bitnami-tag on the blog
... or RTFM :*

So...)

Next - checking Splunk's (8089/tcp - "REST API") port:


Next - checking (preauth) MongoDB access (default on 27017/tcp but it also can be configured to use - for example - port 8191/tcp; grep banners carefully during the scan ;)):


Next...?

(...)

We can continue this because - as you can see - there are 'a lot of opportunities' to (re)write your own 'module' (or 'path' to make a check during your pentest - you name it ;)).

Feel free to ping me in case of any questions (for some of the paths currently available - probably you will need your Kali to get few updates - for example, some python packages...).

Let me know if you will (need any help or) find it useful.
*(Also if you would like to rewrite it or create some module(s/paths) (you can provide based on your pentest(s) - feel free to drop me an email or DM @twitter. Code of the script will probably be developed somehow in the future so maybe it will help someone to automate the pentest of some 'small-commercial misconfigured environment' ;))

Remember to use it only for legal purposes. :]

Thanks.

Cheers

Brak komentarzy:

Prześlij komentarz